Interesting way of protecting credit card data on untrusted hosts

[Peter Gutmann]

A Canadian company called SmartSwipe has come up with an interesting way to
protect credit card numbers from most man-in-the-browser attacks.  What they
do is install a Windows CSP (cryptographic service provider) that acts as a
proxy to an external mag-stripe reader with built-in crypto processing, so the
CSP on the host PC does nothing more than forward data to be encrypted out to
the external device.  There's also a browser plug-in that pre-populates the
credit-card field in web forms with a cookie.  When the page is sent to the
CSP for encryption for SSL, the software running on the reader recognises the
cookie in the web-form content, reads the card data via the mag-stripe reader,
inserts it into the web-form field, and returns the encrypted result to the
host PC to forward to the remote server.  As a result, the CC data is never
present on the host PC.

The downsides are obvious: not secure against phishing (which is a killer),
only works with MSIE because of the requirement for use of a CSP (although you
could do it with Firefox as well by creating a PKCS #11 soft-token), and not
secure against page-rewrite trojans which have the web page show one thing and
do another, but it's an interesting concept.  You can find a description of
the technology under the name Dynamic SSL(tm)(c)(p), a start point is:

http://www.smartswipe.ca/en/dynamic-ssl/600-dynamic-ssl-a-practical-solution-for-endpoint-to-endpoint-encryption

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com